Symptoms

• When do cross vCenter Server export, i.e., export virtual machine from one vCenter to the other vCenter, then in the step of "Select a compute resource", there is error "Authenticity of the host's SSL certificate is not verified"
• Source vCenter /var/log/vmware/vpxd/vpxd.log has warning like below

YYYY-MM-DDTHH:MM:SS warning vpxd[06965] [Originator@6876 sub=HttpConnectionPool-000001 opID=XXXXXX] Failed to get pooled connection; <cs p:00007fc3781f3830, TCP:<Destination vCenter IP>:443>, SSL(<io_obj p:0x00007fc354855978, h:83, <TCP '<Source vCenter IP> : 36222'>, <TCP '<Destination vCenter IP> : 443'>>), duration: 6msec, N7Vmacore3Ssl18SSLVerifyExceptionE(SSL Exception: Verification parameters:
--> PeerThumbprint: <Destination vCenter machine ssl thumbprint>
--> ExpectedThumbprint:
--> ExpectedPeerName: <Destination vCenter IP>
--> The remote host certificate has these problems:
-->
--> * Host name does not match the subject name(s) in certificate.)

• Customer use third party CA to issue vCenter machine ssl certificate

VMware vCenter Server 7.x

VMware vCenter Server 8.x

The hostname of destination vCenter machine ssl certificate is in format of FQDN, however, the source vCenter expects that format in IP.

Use below command to print destination vCenter machine ssl certificate and then check the "X509v3 Subject Alternative Name" part, there is only FQDN

/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store MACHINE_SSL_CERT  --text

Option 2:

Generate CSR from destination vCenter, and then ask the third party CA to issue vCenter certificate again, and except FQDN also include destination vCenter IP in "X509v3 Subject Alternative Name" part as well.

Import the above certificate into destination vCenter